1 denise.eckstein 1.1 #
2 # Set up OpenSSL certificates for the tog-pegasus cimserver
3 #
4 # Creates a default ssl.cnf file.
5 # Generates a self-signed certificate for use by the cimserver.
6 #
|
7 dl.meetei 1.7
8 function create_ssl_cnf #(config_file, CN)
9 {
10 SSL_CFG=$1
11 CA=$2 # Add a second argument to differentiate issuer from subject
12
13 # Create OpenSSL configuration files for generating certificates
14 echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
|
15 denise.eckstein 1.1 echo "distinguished_name = req_distinguished_name" >> \
|
16 dl.meetei 1.7 $PEGASUS_CONFIG_DIR/$SSL_CFG
17 echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
18
19 # Include support for x509v3 so we can differentiate CA certificates
20 # from service certificates
21 echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
22 echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
23
24 echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
25 echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
26 echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
27 echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
28 denise.eckstein 1.1 echo "O = The Open Group" >> \
|
29 dl.meetei 1.7 $PEGASUS_CONFIG_DIR/$SSL_CFG
|
30 denise.eckstein 1.1 echo "OU = The OpenPegasus Project" >> \
|
31 dl.meetei 1.7 $PEGASUS_CONFIG_DIR/$SSL_CFG
|
32 denise.eckstein 1.1 DN=`hostname`;
33 if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
34 DN='localhost.localdomain';
35 fi;
36 FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } |\
37 grep 'has address' | head -1 | sed 's/\ .*$//'`;
38 if [ -z "$FQDN" ] ; then
39 FQDN="$DN";
40 fi;
41 # cannot use 'hostname --fqdn' because this can hang indefinitely
|
42 dl.meetei 1.7 # Hack the $CA onto the end of the CN so we differentiate the issuer
43 # of the signature from the subject
44 echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
45
46 # Add x509v3 extensions
47 echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
48 echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
49 echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
50 echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
51 echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
52 echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
53 }
54
55 cnfChanged=0;
56 if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
57 [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
58 [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
59 [ ! -e $PEGASUS_CONFIG_DIR/file.pem ] ||
60 [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
61
62 mkdir -p ${PEGASUS_INSTALL_LOG%/*}
63 dl.meetei 1.7 mkdir -p $PEGASUS_CONFIG_DIR
64
65 create_ssl_cnf ssl-ca.cnf CA
66 create_ssl_cnf ssl-service.cnf
67
68 chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
69 chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
70 chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
71 denise.eckstein 1.1 cnfChanged=1;
72 fi
73 if [ $cnfChanged -eq 1 ] || \
74 [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
75 [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
|
76 dl.meetei 1.7
77 # Restrict access of the key to root
78 OLDUMASK=`umask`
79 umask 0077
80
81 # Create private key for the CA certificate
82 TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
83
84 /usr/bin/openssl genrsa -out $TMPKEY 2048
85
86 # Restore the umask for the other files
87 umask $OLDUMASK
88
89 # Create CA certificate:
90 /usr/bin/openssl req -new -x509 -days 3650 \
91 -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
92 -key $TMPKEY \
93 -out $PEGASUS_PEM_DIR/ca.crt \
94
95 # Create private key for the service certificate
96 /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
97 dl.meetei 1.7
98 # Create a signing request for the service certificate
99 /usr/bin/openssl req -new \
100 -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
101 -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
102 -out $PEGASUS_PEM_DIR/server.csr
103
104 # Sign the request with the CA certificate
105 /usr/bin/openssl x509 -req -days 3650 \
106 -in $PEGASUS_PEM_DIR/server.csr \
107 -CA $PEGASUS_PEM_DIR/ca.crt \
108 -CAkey $TMPKEY \
109 -CAcreateserial \
110 -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
111 -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
112
113 # Set file permissions appropriately
|
114 denise.eckstein 1.1 chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
115 dl.meetei 1.7 chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
116
117 # Remove the certificate signing request
118 # It is not needed after the signature is complete
119 rm -f $PEGASUS_PEM_DIR/server.csr
120
121 # Remove the private key for the CA certificate
122 # This will ensure that it cannot be used to sign any other
123 # (possibly suspicious) certificates
124 # This does mean that generating a new certificate for this
125 # service will need a new CA cert, but most real deployments
126 # will use real infrastructure.
127 # This does not impart perfect security; there is a fairly
128 # long race here between the key generation and its deletion.
129 # The random filename should significantly mitigate this.
130 rm -f $TMPKEY
131
|
132 denise.eckstein 1.1 fi;
133 if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
|
134 dl.meetei 1.7 cp -fp $PEGASUS_PEM_DIR/ca.crt \
|
135 denise.eckstein 1.1 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
136 chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
137 fi;
|